---
title: UAA API Reference

search: true

toc_footers:
  - <a href="./propMappings/">Internal Property Mappings</a>

---

<%
  def render(doc_relative_path)
    ERB.new(File.read('../../build/generated-snippets/' + doc_relative_path)).result(binding)
  end
%>

# Overview

The User Account and Authentication Service (UAA):

- is an OAuth2 server that can be used for centralized identity management.
- owns the user accounts and authentication sources (SAML, LDAP)
- supports standard protocols such as SAML, LDAP and OpenID Connect to provide single sign-on and delegated authorization to web applications
- can be invoked via JSON APIs
- provides a basic login/approval UI for web client apps
- supports APIs for user account management for an external web UI
- most of the APIs are defined by the specs for the OAuth2, OpenID Connect, and SCIM standards.


# Authorization

## Authorization Code Grant

### Browser flow

<%= render('AuthorizeEndpointDocs/browserCodeRequest/curl-request.md') %>
<%= render('AuthorizeEndpointDocs/browserCodeRequest/http-request.md') %>
<%= render('AuthorizeEndpointDocs/browserCodeRequest/http-response.md') %>

_Request Parameters_

<%= render('AuthorizeEndpointDocs/browserCodeRequest/request-parameters.md') %>

### Api flow

<%= render('AuthorizeEndpointDocs/apiCodeRequest/curl-request.md') %>
<%= render('AuthorizeEndpointDocs/apiCodeRequest/http-request.md') %>
<%= render('AuthorizeEndpointDocs/apiCodeRequest/http-response.md') %>

_Request Parameters_

<%= render('AuthorizeEndpointDocs/apiCodeRequest/request-parameters.md') %>

_Request Headers_

<%= render('AuthorizeEndpointDocs/apiCodeRequest/request-headers.md') %>

<aside class="notice">
  The client must have autoapprove=true, or you will not get a code back.<br/>
  The client must have a redirect_uri registered, it is an required parameter of the request.<br/>
  The token must have scope "uaa.user" in order to exchange a token for an authorization code.<br/>
</aside>

## Implicit Grant

<%= render('AuthorizeEndpointDocs/implicitGrant_browserRequest/curl-request.md') %>
<%= render('AuthorizeEndpointDocs/implicitGrant_browserRequest/http-request.md') %>
<%= render('AuthorizeEndpointDocs/implicitGrant_browserRequest/http-response.md') %>

_Request Parameters_

<%= render('AuthorizeEndpointDocs/implicitGrant_browserRequest/request-parameters.md') %>

_Response Headers_

<%= render('AuthorizeEndpointDocs/implicitGrant_browserRequest/response-headers.md') %>

## Implicit Grant with prompt

<%= render('AuthorizeEndpointDocs/implicitGrantWithPromptParameter_browserRequest/curl-request.md') %>
<%= render('AuthorizeEndpointDocs/implicitGrantWithPromptParameter_browserRequest/http-request.md') %>
<%= render('AuthorizeEndpointDocs/implicitGrantWithPromptParameter_browserRequest/http-response.md') %>

_Request Parameters_

<%= render('AuthorizeEndpointDocs/implicitGrantWithPromptParameter_browserRequest/request-parameters.md') %>

_Response Headers_

<%= render('AuthorizeEndpointDocs/implicitGrantWithPromptParameter_browserRequest/response-headers.md') %>

## OpenID Connect flow

#### OpenID Provider Configuration Request

An OpenID Provider Configuration Document MUST be queried using an HTTP GET request at the previously specified path.

<%= render('OpenIdConnectEndpointDocs/getWellKnownOpenidConf/curl-request.md') %>
<%= render('OpenIdConnectEndpointDocs/getWellKnownOpenidConf/http-request.md') %>
<%= render('OpenIdConnectEndpointDocs/getWellKnownOpenidConf/http-response.md') %>

_Response Fields_

<%= render('OpenIdConnectEndpointDocs/getWellKnownOpenidConf/response-fields.md') %>

#### ID token

  The authorization request may specify a response type of id_token, and an ID token as defined
  by OpenID Connect will be included in the fragment of the redirect URL.

<%= render('AuthorizeEndpointDocs/getIdToken/curl-request.md') %>
<%= render('AuthorizeEndpointDocs/getIdToken/http-request.md') %>
<%= render('AuthorizeEndpointDocs/getIdToken/http-response.md') %>

_Request Parameters_

<%= render('AuthorizeEndpointDocs/getIdToken/request-parameters.md') %>

_Response Headers_

<%= render('AuthorizeEndpointDocs/getIdToken/response-headers.md') %>

#### ID token and Access token

  The request may specify that the client expects an ID token as defined by OpenID Connect, and this
  ID token will be included alongside the access token.

<%= render('AuthorizeEndpointDocs/getIdTokenAndAccessToken/curl-request.md') %>
<%= render('AuthorizeEndpointDocs/getIdTokenAndAccessToken/http-request.md') %>
<%= render('AuthorizeEndpointDocs/getIdTokenAndAccessToken/http-response.md') %>

_Request Parameters_

<%= render('AuthorizeEndpointDocs/getIdTokenAndAccessToken/request-parameters.md') %>

_Response Headers_

<%= render('AuthorizeEndpointDocs/getIdTokenAndAccessToken/response-headers.md') %>

### Hybrid flow

  The request may specify that the client expects an ID token as defined by OpenID Connect, and this
  ID token will be included alongside the authorization code.

<%= render('AuthorizeEndpointDocs/getIdTokenAndCode/curl-request.md') %>
<%= render('AuthorizeEndpointDocs/getIdTokenAndCode/http-request.md') %>
<%= render('AuthorizeEndpointDocs/getIdTokenAndCode/http-response.md') %>

_Request Parameters_

<%= render('AuthorizeEndpointDocs/getIdTokenAndCode/request-parameters.md') %>

_Response Headers_

<%= render('AuthorizeEndpointDocs/getIdTokenAndCode/response-headers.md') %>

# Token

The `/oauth/token` endpoint requires client authentication to be accessed. Client Authentication can be passed as
as part of the request authorization header, using basic authentication, or as part of the request parameters, using the `client_id` and `client_secret` parameter
names.

## Authorization Code Grant

<%= render('TokenEndpointDocs/getTokenUsingAuthCodeGrant/curl-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingAuthCodeGrant/http-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingAuthCodeGrant/http-response.md') %>

_Request Headers_

<%= render('TokenEndpointDocs/getTokenUsingAuthCodeGrant/request-headers.md') %>

_Request Parameters_

<%= render('TokenEndpointDocs/getTokenUsingAuthCodeGrant/request-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/getTokenUsingAuthCodeGrant/response-fields.md') %>

## Client Credentials Grant

### Without Authorization

<%= render('TokenEndpointDocs/getTokenUsingClientCredentialGrant/curl-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingClientCredentialGrant/http-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingClientCredentialGrant/http-response.md') %>

_Request Parameters_

<%= render('TokenEndpointDocs/getTokenUsingClientCredentialGrant/request-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/getTokenUsingClientCredentialGrant/response-fields.md') %>

### With Authorization

<%= render('TokenEndpointDocs/getTokenUsingClientCredentialGrantWithAuthorizationHeader/curl-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingClientCredentialGrantWithAuthorizationHeader/http-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingClientCredentialGrantWithAuthorizationHeader/http-response.md') %>

_Request Header_

<%= render('TokenEndpointDocs/getTokenUsingClientCredentialGrantWithAuthorizationHeader/request-headers.md') %>

_Request Parameters_

<%= render('TokenEndpointDocs/getTokenUsingClientCredentialGrantWithAuthorizationHeader/request-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/getTokenUsingClientCredentialGrantWithAuthorizationHeader/response-fields.md') %>


## Password Grant

<%= render('TokenEndpointDocs/getTokenUsingPasswordGrant/curl-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingPasswordGrant/http-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingPasswordGrant/http-response.md') %>

_Request Parameters_

<%= render('TokenEndpointDocs/getTokenUsingPasswordGrant/request-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/getTokenUsingPasswordGrant/response-fields.md') %>

### Password Grant with MFA

<aside class="warning">
  MFA support is in active development and is not ready for production use.
</aside>

A password grant can be completed when multi-factor authentication is enabled.


<%= render('TokenEndpointDocs/getTokenUsingMfaPasswordGrant/curl-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingMfaPasswordGrant/http-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingMfaPasswordGrant/http-response.md') %>

_Request Parameters_

<%= render('TokenEndpointDocs/getTokenUsingMfaPasswordGrant/request-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/getTokenUsingMfaPasswordGrant/response-fields.md') %>

### One-time Passcode

<%= render('TokenEndpointDocs/getTokenUsingPasscode/curl-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingPasscode/http-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingPasscode/http-response.md') %>

_Request Header_

<%= render('TokenEndpointDocs/getTokenUsingPasscode/request-headers.md') %>

_Request Parameters_

<%= render('TokenEndpointDocs/getTokenUsingPasscode/request-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/getTokenUsingPasscode/response-fields.md') %>

<aside class="notice">
  The client-id and client-secret can also be included in the header as Basic Authorization for all grant types.
</aside>

## User Token Grant

<aside class="success">
  Added in UAA 3.7.0
</aside>

A `user_token` grant, is a flow that allows the generation of a refresh_token for another client.
The requesting client, must have `grant_type=user_token` and the bearer token for this request must have `uaa.user`
and be a token that represents an authenticated user.

The idea with this grant flow, is that a user can preapprove a token grant for another client, rather than having to participate in
the approval process when the client needs the access token.

The `refresh_token` that results from this grant, is opaque, and can only be exchanged by the client it was intended for.

<%= render('TokenEndpointDocs/getTokenUsingUserTokenGrant/curl-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingUserTokenGrant/http-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingUserTokenGrant/http-response.md') %>

_Request Parameters_

<%= render('TokenEndpointDocs/getTokenUsingUserTokenGrant/request-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/getTokenUsingUserTokenGrant/response-fields.md') %>

<aside class="notice">
  This grant type is custom to the Cloud Foundry UAA.
</aside>

</aside>

## SAML2 Bearer Grant

<aside class="success">
  Added in 3.10.0
</aside>

The SAML 2.0 bearer grant allows to request an OAuth 2.0 access token with a SAML 2.0 bearer assertion. The flow is defined in
[RFC 7522](https://tools.ietf.org/html/rfc7522). The requesting client, must have `grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer`.
In addition the requesting client must either allow the IDP in `allowedproviders` or omit the property so that any trusted IDP is allowed.
The trust to the assertion issuer is reused from the SAML 2.0 WebSSO profiles.

This grant enables an App2App mechanism with SSO. Typical scenarios are applications outside of CF, which consume a service within the CF world.
The endpoint of the bearer assertion is `/oauth/token/alias/<endityid>` so the Recipient attribute in
the bearer assertion must point to the corresponding URI, e.g. http://localhost:8080/uaa/oauth/token/alias/cloudfoundry-saml-login.

<%= render('TokenEndpointDocs/getTokenUsingSaml2BearerGrant/curl-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingSaml2BearerGrant/http-request.md') %>
<%= render('TokenEndpointDocs/getTokenUsingSaml2BearerGrant/http-response.md') %>

_Request Parameters_

<%= render('TokenEndpointDocs/getTokenUsingSaml2BearerGrant/request-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/getTokenUsingSaml2BearerGrant/response-fields.md') %>

## JWT Bearer Token Grant

<aside class="success">
  Added in 4.5.0
</aside>

The _JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants_
allows to request an OAuth 2.0 access token with a JWT id_token bearer assertion. The flow is defined in
[RFC 7523](https://tools.ietf.org/html/rfc7523). The requesting client, must have `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer`.
In addition the requesting client must either allow the IDP in `allowedproviders` or omit the property so that any trusted IDP is allowed.
The trust to the assertion, the issuer claim is used to select an OIDC provider (IDP) configured in the
UAA database. If multiple providers exists that have the same issuer, the grant will fail.

<%= render('JwtBearerGrantEndpointDocs/document_jwt_bearer_grant/curl-request.md') %>
<%= render('JwtBearerGrantEndpointDocs/document_jwt_bearer_grant/http-request.md') %>
<%= render('JwtBearerGrantEndpointDocs/document_jwt_bearer_grant/http-response.md') %>

_Request Headers_

<%= render('JwtBearerGrantEndpointDocs/document_jwt_bearer_grant/request-headers.md') %>

_Request Parameters_

<%= render('JwtBearerGrantEndpointDocs/document_jwt_bearer_grant/request-parameters.md') %>

_Response Fields_

<%= render('JwtBearerGrantEndpointDocs/document_jwt_bearer_grant/response-fields.md') %>

## Refresh Token

<%= render('TokenEndpointDocs/refreshToken/curl-request.md') %>
<%= render('TokenEndpointDocs/refreshToken/http-request.md') %>
<%= render('TokenEndpointDocs/refreshToken/http-response.md') %>

_Request Parameters_

<%= render('TokenEndpointDocs/refreshToken/request-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/refreshToken/response-fields.md') %>

## OpenID Connect

The token endpoint can provide an ID token as defined by OpenID Connect.

<%= render('TokenEndpointDocs/getIdTokenUsingAuthCodeGrant/curl-request.md') %>
<%= render('TokenEndpointDocs/getIdTokenUsingAuthCodeGrant/http-request.md') %>
<%= render('TokenEndpointDocs/getIdTokenUsingAuthCodeGrant/http-response.md') %>

_Request Parameters_

<%= render('TokenEndpointDocs/getIdTokenUsingAuthCodeGrant/request-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/getIdTokenUsingAuthCodeGrant/response-fields.md') %>

## Revoke tokens

<aside class="success">
  Added in UAA 3.3.0
</aside>

### Revoke all tokens for a user

<%= render('TokenEndpointDocs/revokeAllTokens_forAUser/curl-request.md') %>
<%= render('TokenEndpointDocs/revokeAllTokens_forAUser/http-request.md') %>
<%= render('TokenEndpointDocs/revokeAllTokens_forAUser/http-response.md') %>

_Path Parameters_

<%= render('TokenEndpointDocs/revokeAllTokens_forAUser/path-parameters.md') %>

_Request Header_

<%= render('TokenEndpointDocs/revokeAllTokens_forAUser/request-headers.md') %>

### Revoke all tokens for a client

<%= render('TokenEndpointDocs/revokeAllTokens_forAClient/curl-request.md') %>
<%= render('TokenEndpointDocs/revokeAllTokens_forAClient/http-request.md') %>
<%= render('TokenEndpointDocs/revokeAllTokens_forAClient/http-response.md') %>

_Path Parameters_

<%= render('TokenEndpointDocs/revokeAllTokens_forAClient/path-parameters.md') %>

_Request Header_

<%= render('TokenEndpointDocs/revokeAllTokens_forAClient/request-headers.md') %>

### Revoke all tokens for a user and client combination

<%= render('TokenEndpointDocs/revokeAllTokens_forAUserClientCombination/curl-request.md') %>
<%= render('TokenEndpointDocs/revokeAllTokens_forAUserClientCombination/http-request.md') %>
<%= render('TokenEndpointDocs/revokeAllTokens_forAUserClientCombination/http-response.md') %>

_Path Parameters_

<%= render('TokenEndpointDocs/revokeAllTokens_forAUserClientCombination/path-parameters.md') %>

_Request Header_

<%= render('TokenEndpointDocs/revokeAllTokens_forAUserClientCombination/request-headers.md') %>

### Revoke a single token

<%= render('TokenEndpointDocs/revokeSingleToken/curl-request.md') %>
<%= render('TokenEndpointDocs/revokeSingleToken/http-request.md') %>
<%= render('TokenEndpointDocs/revokeSingleToken/http-response.md') %>

_Path Parameters_

<%= render('TokenEndpointDocs/revokeSingleToken/path-parameters.md') %>

_Request Header_

<%= render('TokenEndpointDocs/revokeSingleToken/request-headers.md') %>


## List tokens

<aside class="success">
  Added in UAA 3.7.1
</aside>

### List all tokens for a user

The `/oauth/token/list/user/{userId}` will return all the tokens that match the user_id in the path parameter.
This token requires the `tokens.list` scope.


<%= render('TokenEndpointDocs/listTokens_user/curl-request.md') %>
<%= render('TokenEndpointDocs/listTokens_user/http-request.md') %>
<%= render('TokenEndpointDocs/listTokens_user/http-response.md') %>

_Request Header_

<%= render('TokenEndpointDocs/listTokens_user/request-headers.md') %>

_Path Parameters_

<%= render('TokenEndpointDocs/listTokens_user/path-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/listTokens_user/response-fields.md') %>

### List all tokens for a client

The `/oauth/token/list/client/{clientId}` will return all the tokens that match the client_id in the path parameter.
This token requires the `tokens.list` scope.

<%= render('TokenEndpointDocs/listTokens_client/curl-request.md') %>
<%= render('TokenEndpointDocs/listTokens_client/http-request.md') %>
<%= render('TokenEndpointDocs/listTokens_client/http-response.md') %>

_Request Header_

<%= render('TokenEndpointDocs/listTokens_client/request-headers.md') %>

_Path Parameters_

<%= render('TokenEndpointDocs/listTokens_client/path-parameters.md') %>

_Response Fields_

<%= render('TokenEndpointDocs/listTokens_client/response-fields.md') %>

# Introspect Token

<aside class="notice">
  New in UAA 74.2.0: `/introspect` will now accept a client_credentials access_token with `uaa.resource` scope
</aside>

Introspect token endpoint is [RFC-7662](https://tools.ietf.org/html/rfc7662) compliant. Active flag is responsible for showing the validity of the token and not the HTTP status code.
Status code will be 200 OK for both valid and invalid tokens.

<%= render('IntrospectTokenEndpointDocs/introspectToken/curl-request.md') %>
<%= render('IntrospectTokenEndpointDocs/introspectToken/http-request.md') %>
<%= render('IntrospectTokenEndpointDocs/introspectToken/http-response.md') %>

_Request Headers_

<%= render('IntrospectTokenEndpointDocs/introspectToken/request-headers.md') %>

_Request Parameters_

<%= render('IntrospectTokenEndpointDocs/introspectToken/request-parameters.md') %>

_Response Fields_

<%= render('IntrospectTokenEndpointDocs/introspectToken/response-fields.md') %>

# Check Token

<aside class="warning">
  The `/check_token` endpoint is deprecated since version 74.2.0 and will be removed in a future release.  Please use `/introspect` instead.
</aside>

<%= render('CheckTokenEndpointDocs/checkToken/curl-request.md') %>
<%= render('CheckTokenEndpointDocs/checkToken/http-request.md') %>
<%= render('CheckTokenEndpointDocs/checkToken/http-response.md') %>

_Request Headers_

<%= render('CheckTokenEndpointDocs/checkToken/request-headers.md') %>

_Request Parameters_

<%= render('CheckTokenEndpointDocs/checkToken/request-parameters.md') %>

_Response Fields_

<%= render('CheckTokenEndpointDocs/checkToken/response-fields.md') %>

# Token Key(s)

## Token Key

An endpoint which returns the JSON Web Token (JWT) key, used by the UAA to sign JWT access tokens, and to be used by authorized clients to verify that a token came from the UAA. The key is in JSON Web Key format. For complete information about JSON Web Keys, see [RFC 7517](https://tools.ietf.org/html/rfc7517). In the case when the token key is symmetric, signer key and verifier key are the same, then this call is authenticated with client credentials using the HTTP Basic method.

JWT signing keys are specified via the identity zone configuration (see [/identity-zones](#identity-zones)). An identity zone token policy can be configured with multiple keys for purposes of key rotation. When adding a new key, set its ID as the `activeKeyId` to use it to sign all new tokens. [/introspect](#introspect) will continue to verify tokens signed with the previous signing key for as long as it is present in the `keys` of the identity zone's token policy. Remove it to invalidate all those tokens.

### Asymmetric

<%= render('TokenKeyEndpointDocs/getTokenAsymmetricAuthenticated/curl-request.md') %>
<%= render('TokenKeyEndpointDocs/getTokenAsymmetricAuthenticated/http-request.md') %>
<%= render('TokenKeyEndpointDocs/getTokenAsymmetricAuthenticated/http-response.md') %>

_Request Headers_

<%= render('TokenKeyEndpointDocs/getTokenAsymmetricAuthenticated/request-headers.md') %>

_Response Headers_

<%= render('TokenKeyEndpointDocs/getTokenAsymmetricAuthenticated/response-headers.md') %>

_Response Fields_

<%= render('TokenKeyEndpointDocs/getTokenAsymmetricAuthenticated/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 401        | Unauthorized - Unregistered client or incorrect client secret                                          |

### Symmetric

<%= render('TokenKeyEndpointDocs/getTokenSymmetricAuthenticated/curl-request.md') %>
<%= render('TokenKeyEndpointDocs/getTokenSymmetricAuthenticated/http-request.md') %>
<%= render('TokenKeyEndpointDocs/getTokenSymmetricAuthenticated/http-response.md') %>

_Request Headers_

<%= render('TokenKeyEndpointDocs/getTokenSymmetricAuthenticated/request-headers.md') %>

_Response Fields_

<%= render('TokenKeyEndpointDocs/getTokenSymmetricAuthenticated/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 401        | Unauthorized - Unregistered client or incorrect client secret                                          |
| 403        | Forbidden - Not a resource server (missing `uaa.resource` scope)                                       |

## Token Keys

An endpoint which returns the list of JWT keys. To support key rotation, this list specifies the IDs of all currently valid keys. JWT tokens issued by the UAA contain a `kid` field, indicating which key should be used for verification of the token.

<%= render('TokenKeyEndpointDocs/checkTokenKeysValues/curl-request.md') %>
<%= render('TokenKeyEndpointDocs/checkTokenKeysValues/http-request.md') %>
<%= render('TokenKeyEndpointDocs/checkTokenKeysValues/http-response.md') %>

_Request Headers_

<%= render('TokenKeyEndpointDocs/checkTokenKeysValues/request-headers.md') %>

_Response Headers_

<%= render('TokenKeyEndpointDocs/checkTokenKeysValues/response-headers.md') %>

_Response Fields_

<%= render('TokenKeyEndpointDocs/checkTokenKeysValues/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 401        | Unauthorized - Unregistered client or incorrect client secret                                          |

# Session Management

## Logout.do

The logout endpoint is meant to be used by applications to log the user out of the UAA session. UAA will only log a user out of the UAA session if they also hit this endpoint, and may also perform Single Logout with SAML providers if configured to do so.
The recommendation for application authors is to:

* provide a local logout feature specific to the client application
  and use that to clear state in the client
* as part of the logout redirect to the logout endpoint using their client ID
* provide a redirect param in the link to the logout success page of their application so
  that the user come back to a familiar place when logged out
* add the logout success page to the client's redirect_uri configuration to whitelist the URL

If the chosen redirect URI is not whitelisted, users will land on the UAA login page. This is a security feature intended to prevent open redirects as per [RFC 6749](https://tools.ietf.org/html/rfc6749#section-10.15).

<%= render('LogoutInfoEndpointDocs/logout/curl-request.md') %>
<%= render('LogoutInfoEndpointDocs/logout/http-request.md') %>
<%= render('LogoutInfoEndpointDocs/logout/http-response.md') %>

_Request Parameters_

<%= render('LogoutInfoEndpointDocs/logout/request-parameters.md') %>

_Response Headers_

<%= render('LogoutInfoEndpointDocs/logout/response-headers.md') %>

# Identity Zones

The UAA supports multi tenancy. This is referred to as **identity zones**. An identity zone is accessed through a unique subdomain. If the standard UAA responds to [https://uaa.10.244.0.34.xip.io](https://uaa.10.244.0.34.xip.io) a zone on this UAA would be accessed through [https://testzone1.uaa.10.244.0.34.xip.io](https://testzone1.uaa.10.244.0.34.xip.io)

>A zone contains a unique identifier as well as a unique subdomain:

```json
{
    "id":"testzone1",
    "subdomain":"testzone1",
    "name":"The Twiglet Zone[testzone1]",
    "version":0,
    "description":"Like the Twilight Zone but tastier[testzone1].",
    "created":1426258488910,
    "last_modified":1426258488910
}
```

>The UAA by default creates a default zone. This zone will always be present, the ID will always be `uaa`, and the subdomain is blank:

```json
{
    "id": "uaa",
    "subdomain": "",
    "name": "uaa",
    "version": 0,
    "description": "The system zone for backwards compatibility",
    "created": 946710000000,
    "last_modified": 946710000000
}
```

<aside class="notice">
  Note that if you specify a subdomain in mixed or upper case for creation or update of an identity zone, it will be converted into lower case before stored in the database. This way the UAA has an easy way to query the database for a zone based on a hostname.
</aside>

## Creating an identity zone

An identity zone is created using a `POST` with an `IdentityZone` object. If the object contains an id, this id will be used as the identifier, otherwise an identifier will be generated. Once a zone has been created, the UAA will start accepting requests on the subdomain defined in the `subdomain` field of the identity zone.
When an Identity Zone is created, an internal Identity Provider is automatically created with the default password policy.

<%= render('IdentityZoneEndpointDocs/createIdentityZone/curl-request.md') %>
<%= render('IdentityZoneEndpointDocs/createIdentityZone/http-request.md') %>
<%= render('IdentityZoneEndpointDocs/createIdentityZone/http-response.md') %>

_Request Headers_

<%= render('IdentityZoneEndpointDocs/createIdentityZone/request-headers.md') %>

_Request Fields_

<%= render('IdentityZoneEndpointDocs/createIdentityZone/request-fields.md') %>

_Response Fields_

<%= render('IdentityZoneEndpointDocs/createIdentityZone/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 400        | Bad Request                                                                                            |
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (Zones can only be created by being authenticated in the default zone.) |
| 422        | Unprocessable Entity - Invalid zone details                                                            |

>Sequential example of creating a zone and creating an admin client in that zone:

```bash
uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac client update admin --authorities "uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,zones.testzone1.admin,zones.write"

uaac token client get admin -s adminsecret

uaac -t curl -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "id":"testzone1", "subdomain":"testzone1", "name":"The Twiglet Zone[testzone1]", "version":0, "description":"Like the Twilight Zone but tastier[testzone1]."}' /identity-zones

uaac -t curl -H"X-Identity-Zone-Id:testzone1" -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "client_id" : "admin", "client_secret" : "adminsecret", "scope" : ["uaa.none"], "resource_ids" : ["none"], "authorities" : ["uaa.admin","clients.read","clients.write","clients.secret","scim.read","scim.write","clients.admin"], "authorized_grant_types" : ["client_credentials"]}' /oauth/clients

uaac target http://testzone1.localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac token decode
```

## Retrieving an identity zone

<%= render('IdentityZoneEndpointDocs/getIdentityZone/curl-request.md') %>
<%= render('IdentityZoneEndpointDocs/getIdentityZone/http-request.md') %>
<%= render('IdentityZoneEndpointDocs/getIdentityZone/http-response.md') %>

_Path Parameters_

<%= render('IdentityZoneEndpointDocs/getIdentityZone/path-parameters.md') %>

_Request Headers_

<%= render('IdentityZoneEndpointDocs/getIdentityZone/request-headers.md') %>

_Response Fields_

<%= render('IdentityZoneEndpointDocs/getIdentityZone/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 400        | Bad Request                                                                                            |
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope                                                                         |
| 404        | Not Found - Zone does not exist                                                                        |

## Retrieving all identity zones

<%= render('IdentityZoneEndpointDocs/getAllIdentityZones/curl-request.md') %>
<%= render('IdentityZoneEndpointDocs/getAllIdentityZones/http-request.md') %>
<%= render('IdentityZoneEndpointDocs/getAllIdentityZones/http-response.md') %>

_Request Headers_

<%= render('IdentityZoneEndpointDocs/getAllIdentityZones/request-headers.md') %>

_Response Fields_

<%= render('IdentityZoneEndpointDocs/getAllIdentityZones/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 400        | Bad Request                                                                                            |
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope                                                                         |

## Updating an Identity Zone

<%= render('IdentityZoneEndpointDocs/updateIdentityZone/curl-request.md') %>
<%= render('IdentityZoneEndpointDocs/updateIdentityZone/http-request.md') %>
<%= render('IdentityZoneEndpointDocs/updateIdentityZone/http-response.md') %>

_Path Parameters_

<%= render('IdentityZoneEndpointDocs/updateIdentityZone/path-parameters.md') %>

_Request Headers_

<%= render('IdentityZoneEndpointDocs/updateIdentityZone/request-headers.md') %>

_Request Fields_

<%= render('IdentityZoneEndpointDocs/updateIdentityZone/request-fields.md') %>

_Response Fields_

<%= render('IdentityZoneEndpointDocs/updateIdentityZone/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request                                                           |
| 401        | Unauthorized - Invalid token                                          |
| 403        | Forbidden - Insufficient scope (zone admins can only update own zone) |
| 404        | Not Found - Update to nonexistent zone                                |
| 422        | Unprocessable Entity - Invalid zone details                           |

## Deleting an Identity Zone

<%= render('IdentityZoneEndpointDocs/deleteIdentityZone/curl-request.md') %>
<%= render('IdentityZoneEndpointDocs/deleteIdentityZone/http-request.md') %>
<%= render('IdentityZoneEndpointDocs/deleteIdentityZone/http-response.md') %>

_Path Parameters_

<%= render('IdentityZoneEndpointDocs/deleteIdentityZone/path-parameters.md') %>

_Request Headers_

<%= render('IdentityZoneEndpointDocs/deleteIdentityZone/request-headers.md') %>

_Response Fields_

<%= render('IdentityZoneEndpointDocs/deleteIdentityZone/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                 |
|------------|-----------------------------------------------------------------------------|
| 400        | Bad Request                                                                 |
| 401        | Unauthorized - Invalid token                                                |
| 403        | Forbidden - Insufficient scope (zone admins can only delete their own zone) |
| 404        | Not Found - Zone does not exist                                             |


# Identity Providers

## Create

### SAML

<%= render('IdentityProviderEndpointDocs/createSAMLIdentityProvider/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/createSAMLIdentityProvider/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/createSAMLIdentityProvider/http-response.md') %>

<%= render('IdentityProviderEndpointDocs/createSAMLIdentityProviderMetadataUrl/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/createSAMLIdentityProviderMetadataUrl/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/createSAMLIdentityProviderMetadataUrl/http-response.md') %>

_Request Headers_

<%= render('IdentityProviderEndpointDocs/createSAMLIdentityProvider/request-headers.md') %>

_Request Parameters_

<%= render('IdentityProviderEndpointDocs/createSAMLIdentityProvider/request-parameters.md') %>

_Request Fields_

<%= render('IdentityProviderEndpointDocs/createSAMLIdentityProvider/request-fields.md') %>

_Response Fields_

<%= render('IdentityProviderEndpointDocs/createSAMLIdentityProvider/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |
| 409        | Conflict - Provider with same origin and zone id exists               |
| 422        | Unprocessable Entity - Invalid configuration                          |
| 500        | Internal Server Error                                                 |

### LDAP

LDAP supports several different configurations. The most common one is that authentication is done using a search and bind strategy.
The available strategies for authentication are

  * Bind authentication - the UAA uses the user's credentials to construct a DN and attempt a BIND operation to the LDAP server
  * Search and Bind authentication - We take the username and password, search for the user DN, and attempt a bind operation to the LDAP server
  * Search and Compare authentication - We take the username and password, search for the user DN and the user password, and perform a comparison of the provided password with the LDAP password

Group integration also supports different strategies

 * No group integration - LDAP is only used for authentication
 * Map a group to a UAA scope - using external group mappings
 * LDAP groups contain scopes - an entry in the LDAP record contains UAA scope names

#### LDAP Simple Bind
<%= render('IdentityProviderEndpointDocs/create_Simple_Bind_LDAPIdentityProvider/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/create_Simple_Bind_LDAPIdentityProvider/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/create_Simple_Bind_LDAPIdentityProvider/http-response.md') %>

_Request Headers_

<%= render('IdentityProviderEndpointDocs/create_Simple_Bind_LDAPIdentityProvider/request-headers.md') %>

_Request Parameters_

<%= render('IdentityProviderEndpointDocs/create_Simple_Bind_LDAPIdentityProvider/request-parameters.md') %>

_Request Fields_

<%= render('IdentityProviderEndpointDocs/create_Simple_Bind_LDAPIdentityProvider/request-fields.md') %>

_Response Fields_

<%= render('IdentityProviderEndpointDocs/create_Simple_Bind_LDAPIdentityProvider/request-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 401        | Unauthorized - Missing or invalid token                               |
| 403        | Forbidden - Insufficient scope                                        |
| 409        | Conflict - Provider with same origin and zone id exists               |
| 422        | Unprocessable Entity - Invalid configuration                          |
| 500        | Internal Server Error                                                 |

#### LDAP Search and Bind

<%= render('IdentityProviderEndpointDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/http-response.md') %>

_Request Headers_

<%= render('IdentityProviderEndpointDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/request-headers.md') %>

_Request Parameters_

<%= render('IdentityProviderEndpointDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/request-parameters.md') %>

_Request Fields_

<%= render('IdentityProviderEndpointDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/request-fields.md') %>

_Response Fields_

<%= render('IdentityProviderEndpointDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/request-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 401        | Unauthorized - Missing or invalid token                               |
| 403        | Forbidden - Insufficient scope                                        |
| 409        | Conflict - Provider with same origin and zone id exists               |
| 422        | Unprocessable Entity - Invalid configuration                          |
| 500        | Internal Server Error                                                 |

#### LDAP Search and Compare

<%= render('IdentityProviderEndpointDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/http-response.md') %>

_Request Headers_

<%= render('IdentityProviderEndpointDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/request-headers.md') %>

_Request Parameters_

<%= render('IdentityProviderEndpointDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/request-parameters.md') %>

_Request Fields_

<%= render('IdentityProviderEndpointDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/request-fields.md') %>

_Response Fields_

<%= render('IdentityProviderEndpointDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/request-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 401        | Unauthorized - Missing or invalid token                               |
| 403        | Forbidden - Insufficient scope                                        |
| 409        | Conflict - Provider with same origin and zone id exists               |
| 422        | Unprocessable Entity - Invalid configuration                          |
| 500        | Internal Server Error                                                 |

### OAuth/OIDC

<aside class="success">
  Added in UAA 3.3.0
</aside>

<%= render('IdentityProviderEndpointDocs/createOAuthIdentityProvider/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/createOAuthIdentityProvider/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/createOAuthIdentityProvider/http-response.md') %>

_Request Headers_

<%= render('IdentityProviderEndpointDocs/createOAuthIdentityProvider/request-headers.md') %>

_Request Parameters_

<%= render('IdentityProviderEndpointDocs/createOAuthIdentityProvider/request-parameters.md') %>

_Request Fields_

<%= render('IdentityProviderEndpointDocs/createOAuthIdentityProvider/request-fields.md') %>

_Response Fields_

<%= render('IdentityProviderEndpointDocs/createOAuthIdentityProvider/request-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |
| 409        | Conflict - Provider with same origin and zone id exists               |
| 422        | Unprocessable Entity - Invalid configuration                          |
| 500        | Internal Server Error                                                 |


<aside class="success">
  Added in UAA 3.3.0, Discovery URL added in UAA 3.10.0
</aside>

<%= render('IdentityProviderEndpointDocs/createOidcIdentityProvider/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/createOidcIdentityProvider/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/createOidcIdentityProvider/http-response.md') %>

_Request Headers_

<%= render('IdentityProviderEndpointDocs/createOidcIdentityProvider/request-headers.md') %>

_Request Parameters_

<%= render('IdentityProviderEndpointDocs/createOidcIdentityProvider/request-parameters.md') %>

_Request Fields_

<%= render('IdentityProviderEndpointDocs/createOidcIdentityProvider/request-fields.md') %>

_Response Fields_

<%= render('IdentityProviderEndpointDocs/createOidcIdentityProvider/request-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |
| 409        | Conflict - Provider with same origin and zone id exists               |
| 422        | Unprocessable Entity - Invalid configuration                          |
| 500        | Internal Server Error                                                 |

## Retrieve All

<%= render('IdentityProviderEndpointDocs/getAllIdentityProviders/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/getAllIdentityProviders/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/getAllIdentityProviders/http-response.md') %>

_Request Headers_

<%= render('IdentityProviderEndpointDocs/getAllIdentityProviders/request-headers.md') %>

_Request Parameters_

<%= render('IdentityProviderEndpointDocs/getAllIdentityProviders/request-parameters.md') %>

_Response Fields_

<%= render('IdentityProviderEndpointDocs/getAllIdentityProviders/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |

## Retrieve

<%= render('IdentityProviderEndpointDocs/getIdentityProvider/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/getIdentityProvider/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/getIdentityProvider/http-response.md') %>

_Path Parameters_

<%= render('IdentityProviderEndpointDocs/getIdentityProvider/path-parameters.md') %>

_Request Headers_

<%= render('IdentityProviderEndpointDocs/getIdentityProvider/request-headers.md') %>

_Request Parameters_

<%= render('IdentityProviderEndpointDocs/getIdentityProvider/request-parameters.md') %>

_Response Fields_

<%= render('IdentityProviderEndpointDocs/getIdentityProvider/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |

## Update

<%= render('IdentityProviderEndpointDocs/updateIdentityProvider/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/updateIdentityProvider/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/updateIdentityProvider/http-response.md') %>

_Path Parameters_

<%= render('IdentityProviderEndpointDocs/updateIdentityProvider/path-parameters.md') %>

_Request Headers_

<%= render('IdentityProviderEndpointDocs/updateIdentityProvider/request-headers.md') %>

_Request Parameters_

<%= render('IdentityProviderEndpointDocs/updateIdentityProvider/request-parameters.md') %>

<aside class="notice">
  This example is for updating the internal (uaa) identity provider. <br/>
  For SAML refer to <a href="#saml">SAML Provider Fields. </a> <br/>
  For LDAP identity provider refer to <a href="#ldap">LDAP Provider Fields. </a>
</aside>

_Request and Response Fields_

<%= render('IdentityProviderEndpointDocs/updateIdentityProvider/request-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |
| 422        | Unprocessable Entity - Invalid config                                 |

## Delete

<%= render('IdentityProviderEndpointDocs/deleteIdentityProvider/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/deleteIdentityProvider/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/deleteIdentityProvider/http-response.md') %>

_Path Parameters_

<%= render('IdentityProviderEndpointDocs/deleteIdentityProvider/path-parameters.md') %>

_Request Headers_

<%= render('IdentityProviderEndpointDocs/deleteIdentityProvider/request-headers.md') %>

_Request Parameters_

<%= render('IdentityProviderEndpointDocs/deleteIdentityProvider/request-parameters.md') %>

_Response Fields_

<%= render('IdentityProviderEndpointDocs/deleteIdentityProvider/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |
| 422        | Unprocessable Entity                                                  |

## Force password change for Users
<%= render('IdentityProviderEndpointDocs/patchIdentityProviderStatus/curl-request.md') %>
<%= render('IdentityProviderEndpointDocs/patchIdentityProviderStatus/http-request.md') %>
<%= render('IdentityProviderEndpointDocs/patchIdentityProviderStatus/http-response.md') %>

_Path Parameters_

<%= render('IdentityProviderEndpointDocs/patchIdentityProviderStatus/path-parameters.md') %>

_Request Headers_

<%= render('IdentityProviderEndpointDocs/patchIdentityProviderStatus/request-headers.md') %>

<aside class="notice">
  This example is for updating the internal (uaa) identity provider only. <br/>
  It is not a valid operation to update SAML or LDAP identity providers <br/>
</aside>

_Request and Response Fields_

<%= render('IdentityProviderEndpointDocs/patchIdentityProviderStatus/request-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |
| 422        | Unprocessable Entity - Invalid config                                 |


# Service Providers

UAA is capable of acting as a SAML Identity Provider (IdP). When UAA receives a SAML authentication request from a recognized SAML Service Provider (SP), UAA will authenticate the user then send a SAML authentication response back to the SAML SP. If UAA succesfully authenticated the user the SAML authentication response will contain a SAML assertion as per specification.

Obtaining the UAA SAML IdP metadata:

In order to establish trust, a SAML IdP and SAML SP exchange SAML metadata which contains pulbic certificates as well as the endpoints used to communicate amongst each other. Your SAML SP will likely require the UAA SAML IdP metadata in order to make authentication requests to UAA. You can obtain this metadata by making a GET request to the /saml/idp/metadata endpoint.

GET http://localhost:8080/uaa/saml/idp/metadata

## Initiate IDP Login Flow

When the UAA is an IdP, you can initiate the login flow to the Service Provider, SP, by using the `initiate` endpoint
This is a browser flow.

<%= render('UaaSamlIDPEndpointDocs/document_idp_initiated_flow/curl-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/document_idp_initiated_flow/http-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/document_idp_initiated_flow/response-body.md') %>

_Request Parameters_

<%= render('UaaSamlIDPEndpointDocs/document_idp_initiated_flow/request-parameters.md') %>

_Error Codes_

| Error Code | Description                                                                             |
|------------|-----------------------------------------------------------------------------------------|
| 400        | If IDP initiated login is not enabled, the SP parameter is incorrect or SP is disabled. |


## List

<%= render('UaaSamlIDPEndpointDocs/getAllServiceProviders/curl-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/getAllServiceProviders/http-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/getAllServiceProviders/http-response.md') %>

_Request Headers_

<%= render('UaaSamlIDPEndpointDocs/getAllServiceProviders/request-headers.md') %>

_Response Fields_

<%= render('UaaSamlIDPEndpointDocs/getAllServiceProviders/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |

## Get

<%= render('UaaSamlIDPEndpointDocs/getServiceProvider/curl-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/getServiceProvider/http-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/getServiceProvider/http-response.md') %>

_Request Headers_

<%= render('UaaSamlIDPEndpointDocs/getServiceProvider/request-headers.md') %>

_Path Parameters_

<%= render('UaaSamlIDPEndpointDocs/getServiceProvider/path-parameters.md') %>

_Response Fields_

<%= render('UaaSamlIDPEndpointDocs/getServiceProvider/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |

## Create

<%= render('UaaSamlIDPEndpointDocs/createServiceProvider/curl-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/createServiceProvider/http-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/createServiceProvider/http-response.md') %>

_Request Headers_

<%= render('UaaSamlIDPEndpointDocs/createServiceProvider/request-headers.md') %>

_Request Fields_

<%= render('UaaSamlIDPEndpointDocs/createServiceProvider/request-fields.md') %>

_Response Fields_

<%= render('UaaSamlIDPEndpointDocs/createServiceProvider/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |
| 422        | Unprocessable Entity                                                  |
| 409        | Conflict - A provider with the same entity id and zone id exists.     |


## Update

<%= render('UaaSamlIDPEndpointDocs/updateServiceProvider/curl-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/updateServiceProvider/http-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/updateServiceProvider/http-response.md') %>

_Request Headers_

<%= render('UaaSamlIDPEndpointDocs/updateServiceProvider/request-headers.md') %>

_Request Fields_

<%= render('UaaSamlIDPEndpointDocs/updateServiceProvider/request-fields.md') %>

_Path Parameters_

<%= render('UaaSamlIDPEndpointDocs/updateServiceProvider/path-parameters.md') %>

_Response Fields_

<%= render('UaaSamlIDPEndpointDocs/updateServiceProvider/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |
| 422        | Unprocessable Entity                                                  |
| 409        | Conflict - A provider with the same entity id and zone id exists.     |

## Delete

<%= render('UaaSamlIDPEndpointDocs/deleteServiceProvider/curl-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/deleteServiceProvider/http-request.md') %>
<%= render('UaaSamlIDPEndpointDocs/deleteServiceProvider/http-response.md') %>

_Request Headers_

<%= render('UaaSamlIDPEndpointDocs/deleteServiceProvider/request-headers.md') %>

_Path Parameters_

<%= render('UaaSamlIDPEndpointDocs/deleteServiceProvider/path-parameters.md') %>

_Response Fields_

<%= render('UaaSamlIDPEndpointDocs/deleteServiceProvider/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |


# MFA Providers

## Create

<aside class="success">
  Added in UAA 4.13.0
</aside>

<%= render('MfaProviderEndpointDocs/testCreateGoogleMfaProvider/curl-request.md') %>
<%= render('MfaProviderEndpointDocs/testCreateGoogleMfaProvider/http-request.md') %>
<%= render('MfaProviderEndpointDocs/testCreateGoogleMfaProvider/http-response.md') %>

_Request Headers_

<%= render('MfaProviderEndpointDocs/testCreateGoogleMfaProvider/request-headers.md') %>

_Request Fields_

<%= render('MfaProviderEndpointDocs/testCreateGoogleMfaProvider/request-fields.md') %>


_Response Fields_

<%= render('MfaProviderEndpointDocs/testCreateGoogleMfaProvider/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 400        | Bad Request - JSON body was malformed or missing fields                                                |
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (`uaa.admin` or `zones.<zoneId>.admin` is required to create a MFA provider)|
| 422        | Unprocessable Entity - Some values in the MFA configuration are invalid                                |


## Update

<aside class="warning">
  Update is not supported for MFA provider.
</aside>




_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 405        | Method Not Allowed                                                                                     |


## Get

<aside class="success">
  Added in UAA 4.13.0
</aside>

<%= render('MfaProviderEndpointDocs/testGetMfaProvider/curl-request.md') %>
<%= render('MfaProviderEndpointDocs/testGetMfaProvider/http-request.md') %>
<%= render('MfaProviderEndpointDocs/testGetMfaProvider/http-response.md') %>

_Request Headers_

<%= render('MfaProviderEndpointDocs/testGetMfaProvider/request-headers.md') %>

_Response Fields_

<%= render('MfaProviderEndpointDocs/testGetMfaProvider/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (`uaa.admin` or `zones.<zoneId>.admin` is required to create a MFA provider)|
| 404        | Not Found - Provider id not found                                                                      |


## Delete

<aside class="success">
  Added in UAA 4.13.0
</aside>

<%= render('MfaProviderEndpointDocs/testDeleteMfaProvider/curl-request.md') %>
<%= render('MfaProviderEndpointDocs/testDeleteMfaProvider/http-request.md') %>
<%= render('MfaProviderEndpointDocs/testDeleteMfaProvider/http-response.md') %>

_Request Headers_

<%= render('MfaProviderEndpointDocs/testDeleteMfaProvider/request-headers.md') %>

_Response Fields_

<%= render('MfaProviderEndpointDocs/testDeleteMfaProvider/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (`uaa.admin` or `zones.<zoneId>.admin` is required to create a MFA provider)|
| 404        | Not Found - Provider id not found                                                                      |

## List

<aside class="success">
  Added in UAA 4.13.0
</aside>

<%= render('MfaProviderEndpointDocs/testListMfaProviders/curl-request.md') %>
<%= render('MfaProviderEndpointDocs/testListMfaProviders/http-request.md') %>
<%= render('MfaProviderEndpointDocs/testListMfaProviders/http-response.md') %>

_Request Headers_

<%= render('MfaProviderEndpointDocs/testListMfaProviders/request-headers.md') %>

_Response Fields_

<%= render('MfaProviderEndpointDocs/testListMfaProviders/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (`uaa.admin` or `zones.<zoneId>.admin` is required to create a MFA provider)|

# Users

Users can be queried, created and updated via the `/Users` endpoint.

## Get

<%= render('ScimUserEndpointDocs/test_Get_User/curl-request.md') %>
<%= render('ScimUserEndpointDocs/test_Get_User/http-request.md') %>
<%= render('ScimUserEndpointDocs/test_Get_User/http-response.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/test_Get_User/request-headers.md') %>

_Response Fields_

<%= render('ScimUserEndpointDocs/test_Get_User/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 400        | Bad Request - Invalid JSON format or missing fields                                                    |
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (`scim.read` is required to retrieve a user)                            |
| 404        | Not Found - User id not found                                                                          |

>Example using uaac to get users:

```bash
uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user get testuser
```

## List

Listing users supports <a href="http://www.simplecloud.info/specs/draft-scim-api-01.html#query-resources">SCIM filtering</a> on the available attributes.
By default users are returned with their group memberships and approvals, a rather expensive operation.
To avoid this, perform the search by including the `attributes` parameter to reduce the results.

<%= render('ScimUserEndpointDocs/test_Find_Users/curl-request.md') %>
<%= render('ScimUserEndpointDocs/test_Find_Users/http-request.md') %>
<%= render('ScimUserEndpointDocs/test_Find_Users/http-response.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/test_Find_Users/request-headers.md') %>

_Request Parameters_

<%= render('ScimUserEndpointDocs/test_Find_Users/request-parameters.md') %>

_Response Fields_

<%= render('ScimUserEndpointDocs/test_Find_Users/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 400        | Bad Request - Invalid JSON format or missing fields                                                    |
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (`scim.read` is required to search users)                               |

>Example using uaac to view users:

```bash
uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac users
```

## List with Attribute Filtering

Listing users supports <a href="http://www.simplecloud.info/specs/draft-scim-api-01.html#query-resources">SCIM filtering</a> on the available attributes.
When users are searched we can return only selected amount of data using filtering.
The attribute `groups` will cause the UAA to query the group memberships and include them in the result making the operation more expensive.
The attribute `approvals` will cause the UAA to query the user approvals and include them in the result making the operation more expensive.

<%= render('ScimUserEndpointDocs/test_Find_With_Attributes_Users/curl-request.md') %>
<%= render('ScimUserEndpointDocs/test_Find_With_Attributes_Users/http-request.md') %>
<%= render('ScimUserEndpointDocs/test_Find_With_Attributes_Users/http-response.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/test_Find_With_Attributes_Users/request-headers.md') %>

_Request Parameters_

<%= render('ScimUserEndpointDocs/test_Find_With_Attributes_Users/request-parameters.md') %>

_Response Fields_

<%= render('ScimUserEndpointDocs/test_Find_With_Attributes_Users/response-fields.md') %>

## Create

<%= render('ScimUserEndpointDocs/test_Create_User/curl-request.md') %>
<%= render('ScimUserEndpointDocs/test_Create_User/http-request.md') %>
<%= render('ScimUserEndpointDocs/test_Create_User/http-response.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/test_Create_User/request-headers.md') %>

_Request Fields_

<%= render('ScimUserEndpointDocs/test_Create_User/request-fields.md') %>

_Response Fields_

<%= render('ScimUserEndpointDocs/test_Create_User/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 400        | Bad Request - Invalid JSON format or missing fields                                                    |
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (`scim.write` is required to create a user)                             |
| 409        | Conflict - Username already exists                                                                     |

>Example using uaac to view users:

```bash
uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user add testuser --given_name About --family_name Schmidt --emails testuser@test.org --password secret
```

## Update

<aside class="notice">
  Users can only be updated when internal user management is enabled.
</aside>

<%= render('ScimUserEndpointDocs/test_Update_User/curl-request.md') %>
<%= render('ScimUserEndpointDocs/test_Update_User/http-request.md') %>
<%= render('ScimUserEndpointDocs/test_Update_User/http-response.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/test_Update_User/request-headers.md') %>

_Request Fields_

<%= render('ScimUserEndpointDocs/test_Update_User/request-fields.md') %>

_Response Fields_

<%= render('ScimUserEndpointDocs/test_Update_User/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 400        | Bad Request - Invalid JSON format or missing fields                                                    |
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (`scim.write` is required to update a user)                             |
| 404        | Not Found - User id not found                                                                          |

>Example using uaac to view users:

```bash
uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user update testuser --given_name About --family_name Schmidt --emails testuser@test.org --phones 415-555-1212
```

## Patch

<aside class="notice">
  Users can only be patched when internal user management is enabled.
</aside>

<%= render('ScimUserEndpointDocs/test_Patch_User/curl-request.md') %>
<%= render('ScimUserEndpointDocs/test_Patch_User/http-request.md') %>
<%= render('ScimUserEndpointDocs/test_Patch_User/http-response.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/test_Patch_User/request-headers.md') %>

_Request Fields_

<%= render('ScimUserEndpointDocs/test_Patch_User/request-fields.md') %>

_Response Fields_

<%= render('ScimUserEndpointDocs/test_Patch_User/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 400        | Bad Request - Invalid JSON format or missing fields                                                    |
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (`scim.write` is required to update a user)                             |
| 404        | Not Found - User id not found                                                                          |

>Example using uaac to patch users:

```bash
uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user update testuser --given_name About --family_name Schmidt --emails testuser@test.org --phones 415-555-1212
```

## Delete

<%= render('ScimUserEndpointDocs/test_Delete_User/curl-request.md') %>
<%= render('ScimUserEndpointDocs/test_Delete_User/http-request.md') %>
<%= render('ScimUserEndpointDocs/test_Delete_User/http-response.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/test_Delete_User/request-headers.md') %>

_Response Fields_

<%= render('ScimUserEndpointDocs/test_Delete_User/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 400        | Bad Request - Invalid JSON format or missing fields                                                    |
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (`scim.write` is required to delete a user)                             |
| 404        | Not Found - User id not found                                                                          |

>Example using uaac to delete users:

```bash
uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user delete testuser
```

## User Info

An OAuth2 protected resource and an OpenID Connect endpoint. Given an appropriate access_token, returns information about a user. Defined fields include various standard user profile fields. The response may include other user information such as group membership.

<%= render('UserInfoEndpointDocs/test_Get_UserInfo/curl-request.md') %>
<%= render('UserInfoEndpointDocs/test_Get_UserInfo/http-request.md') %>
<%= render('UserInfoEndpointDocs/test_Get_UserInfo/http-response.md') %>

_Request Headers_

<%= render('UserInfoEndpointDocs/test_Get_UserInfo/request-headers.md') %>

_Response Fields_

<%= render('UserInfoEndpointDocs/test_Get_UserInfo/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                            |
|------------|--------------------------------------------------------------------------------------------------------|
| 400        | Bad Request - Invalid JSON format or missing fields                                                    |
| 401        | Unauthorized - Invalid token                                                                           |
| 403        | Forbidden - Insufficient scope (`openid` is required to get the user info)                             |

>Example using uaac to view user info:

```bash
uaac target http://localhost:8080/uaa

uaac token authcode get admin -s adminsecret

uaac curl -X GET /userinfo -k
```


## Change user password

<%= render('ScimUserEndpointDocs/test_Change_Password/curl-request.md') %>
<%= render('ScimUserEndpointDocs/test_Change_Password/http-request.md') %>
<%= render('ScimUserEndpointDocs/test_Change_Password/http-response.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/test_Change_Password/request-headers.md') %>

_Request Fields_

<%= render('ScimUserEndpointDocs/test_Change_Password/request-fields.md') %>

_Response Fields_

<%= render('ScimUserEndpointDocs/test_Change_Password/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                                |
|------------|------------------------------------------------------------------------------------------------------------|
| 400        | Bad Request - Invalid JSON format or missing fields                                                        |
| 401        | Unauthorized - Invalid token                                                                               |
| 403        | Forbidden - Insufficient scope (`scim.write` or a token containing the user id is required)                |
| 404        | Not Found - User id not found                                                                              |

>Example using uaac to view users:

```bash
uaac target http://localhost:8080/uaa

uaac token owner get cf testuser -s "" -p "secret"

uaac password change -o secret -p newsecret
```

## Unlock Account

<aside class="success">
  Added in UAA 3.7.0
</aside>

<%= render('ScimUserEndpointDocs/test_status_unlock_user/curl-request.md') %>
<%= render('ScimUserEndpointDocs/test_status_unlock_user/http-request.md') %>
<%= render('ScimUserEndpointDocs/test_status_unlock_user/http-response.md') %>

_Path Parameters_

<%= render('ScimUserEndpointDocs/test_status_unlock_user/path-parameters.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/test_status_unlock_user/request-headers.md') %>

_Request Fields_

<%= render('ScimUserEndpointDocs/test_status_unlock_user/request-fields.md') %>

_Response Fields_

<%= render('ScimUserEndpointDocs/test_status_unlock_user/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                                |
|------------|------------------------------------------------------------------------------------------------------------|
| 400        | Bad Request - invalid JSON format or illegal value                                                         |
| 401        | Unauthorized - Invalid token                                                                               |
| 403        | Forbidden - Insufficient scope (scim.write or uaa.account_status.write)                                    |
| 404        | User id not found                                                                                          |

## Force user password to expire

<aside class="success">
  Added in UAA 3.9.0
</aside>

<%= render('ScimUserEndpointDocs/test_status_password_expire_user/curl-request.md') %>
<%= render('ScimUserEndpointDocs/test_status_password_expire_user/http-request.md') %>
<%= render('ScimUserEndpointDocs/test_status_password_expire_user/http-response.md') %>

_Path Parameters_

<%= render('ScimUserEndpointDocs/test_status_password_expire_user/path-parameters.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/test_status_password_expire_user/request-headers.md') %>

_Request Fields_

<%= render('ScimUserEndpointDocs/test_status_password_expire_user/request-fields.md') %>

_Response Fields_

<%= render('ScimUserEndpointDocs/test_status_password_expire_user/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                                                                |
|------------|------------------------------------------------------------------------------------------------------------|
| 400        | Bad Request - invalid JSON format or illegal value                                                         |
| 401        | Unauthorized - Invalid token                                                                               |
| 403        | Forbidden - Insufficient scope (`scim.write` or `uaa.account_status.write` required)                       |
| 404        | Not Found - User id not found                                                                              |

## Get user verification link

<%= render('ScimUserEndpointDocs/getUserVerificationLink/curl-request.md') %>
<%= render('ScimUserEndpointDocs/getUserVerificationLink/http-request.md') %>
<%= render('ScimUserEndpointDocs/getUserVerificationLink/http-response.md') %>

_Path Parameters_

<%= render('ScimUserEndpointDocs/getUserVerificationLink/path-parameters.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/getUserVerificationLink/request-headers.md') %>

_Request Parameters_

<%= render('ScimUserEndpointDocs/getUserVerificationLink/request-parameters.md') %>

_Response Fields_

<%= render('ScimUserEndpointDocs/getUserVerificationLink/response-fields.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope or internal user management disabled   |
| 404        | Not Found - User not found                                            |

## Verify user

<%= render('ScimUserEndpointDocs/directlyVerifyUser/curl-request.md') %>
<%= render('ScimUserEndpointDocs/directlyVerifyUser/http-request.md') %>
<%= render('ScimUserEndpointDocs/directlyVerifyUser/http-response.md') %>

_Path Parameters_

<%= render('ScimUserEndpointDocs/directlyVerifyUser/path-parameters.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/directlyVerifyUser/request-headers.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - Incorrect version supplied in If-Match header           |
| 403        | Forbidden - Insufficient scope or internal user management disabled   |
| 404        | Not Found - User not found                                            |

## Delete MFA registration

<%= render('ScimUserEndpointDocs/deleteMfaRegistration/curl-request.md') %>
<%= render('ScimUserEndpointDocs/deleteMfaRegistration/http-request.md') %>
<%= render('ScimUserEndpointDocs/deleteMfaRegistration/http-response.md') %>

_Path Parameters_

<%= render('ScimUserEndpointDocs/deleteMfaRegistration/path-parameters.md') %>

_Request Headers_

<%= render('ScimUserEndpointDocs/deleteMfaRegistration/request-headers.md') %>

_Error Codes_

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope or internal user management disabled   |
| 404        | Not Found - User not found                                            |

## Lookup User IDs/Usernames

<%= render('UserIdConversionEndpointDocs/lookUpIds/curl-request.md') %>
<%= render('UserIdConversionEndpointDocs/lookUpIds/http-request.md') %>
<%= render('UserIdConversionEndpointDocs/lookUpIds/http-response.md') %>

_Request Headers_

<%= render('UserIdConversionEndpointDocs/lookUpIds/request-headers.md') %>

_Request Parameters_

<%= render('UserIdConversionEndpointDocs/lookUpIds/request-parameters.md') %>

_Response Fields_

<%= render('UserIdConversionEndpointDocs/lookUpIds/response-fields.md') %>

_Error Codes_

| Error Code | Description                                      |
|------------|--------------------------------------------------|
| 400        | Bad Request - Request was invalid or unparseable |
| 403        | Forbidden - Insufficient scope                   |

## Invite users

<%= render('InvitationsEndpointDocs/inviteUsers/curl-request.md') %>
<%= render('InvitationsEndpointDocs/inviteUsers/http-request.md') %>
<%= render('InvitationsEndpointDocs/inviteUsers/http-response.md') %>

_Request Headers_

<%= render('InvitationsEndpointDocs/inviteUsers/request-headers.md') %>

_Request Fields_

<%= render('InvitationsEndpointDocs/inviteUsers/request-fields.md') %>

_Request Parameters_

<%= render('InvitationsEndpointDocs/inviteUsers/request-parameters.md') %>

_Response Fields_

<%= render('InvitationsEndpointDocs/inviteUsers/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |

# Groups

## Create

<%= render('ScimGroupEndpointDocs/createScimGroup/curl-request.md') %>
<%= render('ScimGroupEndpointDocs/createScimGroup/http-request.md') %>
<%= render('ScimGroupEndpointDocs/createScimGroup/http-response.md') %>

_Request Headers_

<%= render('ScimGroupEndpointDocs/createScimGroup/request-headers.md') %>

_Request Fields_

<%= render('ScimGroupEndpointDocs/createScimGroup/request-fields.md') %>

_Response Fields_

<%= render('ScimGroupEndpointDocs/createScimGroup/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - Invalid member ID                                       |
| 403        | Forbidden - Insufficient scope                                        |

## Retrieve

<%= render('ScimGroupEndpointDocs/retrieveScimGroup/curl-request.md') %>
<%= render('ScimGroupEndpointDocs/retrieveScimGroup/http-request.md') %>
<%= render('ScimGroupEndpointDocs/retrieveScimGroup/http-response.md') %>

_Path Parameters_

<%= render('ScimGroupEndpointDocs/retrieveScimGroup/path-parameters.md') %>

_Request Headers_

<%= render('ScimGroupEndpointDocs/retrieveScimGroup/request-headers.md') %>

_Response Fields_

<%= render('ScimGroupEndpointDocs/retrieveScimGroup/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |

## Update

<%= render('ScimGroupEndpointDocs/updateScimGroup/curl-request.md') %>
<%= render('ScimGroupEndpointDocs/updateScimGroup/http-request.md') %>
<%= render('ScimGroupEndpointDocs/updateScimGroup/http-response.md') %>

_Path Parameters_

<%= render('ScimGroupEndpointDocs/updateScimGroup/path-parameters.md') %>

_Request Headers_

<%= render('ScimGroupEndpointDocs/updateScimGroup/request-headers.md') %>

_Request Fields_

<%= render('ScimGroupEndpointDocs/updateScimGroup/request-fields.md') %>

_Response Fields_

<%= render('ScimGroupEndpointDocs/updateScimGroup/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - Incorrect version supplied in If-Match header           |
| 403        | Forbidden - Insufficient scope                                        |
| 409        | Conflict                                                              |

## Patch

Updating partial elements of a group is documented at
[SCIM Specification](http://www.simplecloud.info/specs/draft-scim-api-01.html#edit-resource-with-patch)

<%= render('ScimGroupEndpointDocs/patchScimGroup/curl-request.md') %>
<%= render('ScimGroupEndpointDocs/patchScimGroup/http-request.md') %>
<%= render('ScimGroupEndpointDocs/patchScimGroup/http-response.md') %>

_Path Parameters_

<%= render('ScimGroupEndpointDocs/patchScimGroup/path-parameters.md') %>

_Request Headers_

<%= render('ScimGroupEndpointDocs/patchScimGroup/request-headers.md') %>

_Request Fields_

<%= render('ScimGroupEndpointDocs/patchScimGroup/request-fields.md') %>

_Response Fields_

<%= render('ScimGroupEndpointDocs/patchScimGroup/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - Incorrect version supplied in If-Match header           |
| 403        | Forbidden - Insufficient scope                                        |
| 409        | Conflict                                                              |


## Delete

<%= render('ScimGroupEndpointDocs/deleteScimGroup/curl-request.md') %>
<%= render('ScimGroupEndpointDocs/deleteScimGroup/http-request.md') %>
<%= render('ScimGroupEndpointDocs/deleteScimGroup/http-response.md') %>

_Path Parameters_

<%= render('ScimGroupEndpointDocs/deleteScimGroup/path-parameters.md') %>

_Request Headers_

<%= render('ScimGroupEndpointDocs/deleteScimGroup/request-headers.md') %>

_Response Fields_

<%= render('ScimGroupEndpointDocs/deleteScimGroup/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - Incorrect version supplied in If-Match header           |
| 403        | Forbidden - Insufficient scope                                        |
| 409        | Conflict                                                              |

## List

<%= render('ScimGroupEndpointDocs/listScimGroups/curl-request.md') %>
<%= render('ScimGroupEndpointDocs/listScimGroups/http-request.md') %>
<%= render('ScimGroupEndpointDocs/listScimGroups/http-response.md') %>

_Request Headers_

<%= render('ScimGroupEndpointDocs/listScimGroups/request-headers.md') %>

_Request Parameters_

<%= render('ScimGroupEndpointDocs/listScimGroups/request-parameters.md') %>

_Response Fields_

<%= render('ScimGroupEndpointDocs/listScimGroups/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - Invalid attributes                                      |
| 403        | Forbidden - Insufficient scope                                        |

## Check Membership

<%= render('ScimGroupEndpointDocs/getMemberOfGroup/curl-request.md') %>
<%= render('ScimGroupEndpointDocs/getMemberOfGroup/http-request.md') %>
<%= render('ScimGroupEndpointDocs/getMemberOfGroup/http-response.md') %>

_Path Parameters_

<%= render('ScimGroupEndpointDocs/getMemberOfGroup/path-parameters.md') %>

_Request Headers_

<%= render('ScimGroupEndpointDocs/getMemberOfGroup/request-headers.md') %>

_Response Fields_

<%= render('ScimGroupEndpointDocs/getMemberOfGroup/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - Invalid member ID                                       |
| 403        | Forbidden - Insufficient scope                                        |
| 404        | Not Found - Group does not exist, or the entity is not a member       |

## Add Member

<%= render('ScimGroupEndpointDocs/addMemberToGroup/curl-request.md') %>
<%= render('ScimGroupEndpointDocs/addMemberToGroup/http-request.md') %>
<%= render('ScimGroupEndpointDocs/addMemberToGroup/http-response.md') %>

_Path Parameters_

<%= render('ScimGroupEndpointDocs/addMemberToGroup/path-parameters.md') %>

_Request Headers_

<%= render('ScimGroupEndpointDocs/addMemberToGroup/request-headers.md') %>

_Request Fields_

<%= render('ScimGroupEndpointDocs/addMemberToGroup/request-fields.md') %>

_Response Fields_

<%= render('ScimGroupEndpointDocs/addMemberToGroup/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - Invalid member ID                                       |
| 403        | Forbidden - Insufficient scope                                        |
| 404        | Not Found - Specified group or member entity does not exist           |

## Remove Member

<%= render('ScimGroupEndpointDocs/removeMemberFromGroup/curl-request.md') %>
<%= render('ScimGroupEndpointDocs/removeMemberFromGroup/http-request.md') %>
<%= render('ScimGroupEndpointDocs/removeMemberFromGroup/http-response.md') %>

_Path Parameters_

<%= render('ScimGroupEndpointDocs/removeMemberFromGroup/path-parameters.md') %>

_Request Headers_

<%= render('ScimGroupEndpointDocs/removeMemberFromGroup/request-headers.md') %>

_Response Fields_

<%= render('ScimGroupEndpointDocs/removeMemberFromGroup/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - Incorrect version supplied in If-Match header           |
| 403        | Forbidden - Insufficient scope                                        |
| 404        | Not Found - Group does not exist, or the entity is not a member       |
| 409        | Conflict                                                              |

## List Members

<%= render('ScimGroupEndpointDocs/listMembersOfGroup/curl-request.md') %>
<%= render('ScimGroupEndpointDocs/listMembersOfGroup/http-request.md') %>
<%= render('ScimGroupEndpointDocs/listMembersOfGroup/http-response.md') %>

_Path Parameters_

<%= render('ScimGroupEndpointDocs/listMembersOfGroup/path-parameters.md') %>

_Request Headers_

<%= render('ScimGroupEndpointDocs/listMembersOfGroup/request-headers.md') %>

_Request Parameters_

<%= render('ScimGroupEndpointDocs/listMembersOfGroup/request-parameters.md') %>

_Response Fields_

<%= render('ScimGroupEndpointDocs/listMembersOfGroup/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - Invalid attributes                                      |
| 403        | Forbidden - Insufficient scope                                        |
| 404        | Not Found - Specified group does not exist                            |

## External Group Mappings

### Map

<%= render('ScimExternalGroupMappingsEndpointDocs/createExternalGroupMapping/curl-request.md') %>
<%= render('ScimExternalGroupMappingsEndpointDocs/createExternalGroupMapping/http-request.md') %>
<%= render('ScimExternalGroupMappingsEndpointDocs/createExternalGroupMapping/http-response.md') %>

_Request Headers_

<%= render('ScimExternalGroupMappingsEndpointDocs/createExternalGroupMapping/request-headers.md') %>

_Request Fields_

<%= render('ScimExternalGroupMappingsEndpointDocs/createExternalGroupMapping/request-fields.md') %>

_Response Fields_

<%= render('ScimExternalGroupMappingsEndpointDocs/createExternalGroupMapping/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - External group or origin should not be null             |
| 403        | Forbidden - Insufficient scope                                        |
| 404        | Not Found - Incorrect group ID provided                               |

### Unmap

#### By group ID

<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMapping/curl-request.md') %>
<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMapping/http-request.md') %>
<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMapping/http-response.md') %>

_Path Parameters_

<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMapping/path-parameters.md') %>

_Request Headers_

<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMapping/request-headers.md') %>

_Response Fields_

<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMapping/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                        |
| 404        | Not Found - No such group ID, external group, origin combination      |

#### By group display name

<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMappingUsingName/curl-request.md') %>
<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMappingUsingName/http-request.md') %>
<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMappingUsingName/http-response.md') %>

_Path Parameters_

<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMappingUsingName/path-parameters.md') %>

_Request Headers_

<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMappingUsingName/request-headers.md') %>

_Response Fields_

<%= render('ScimExternalGroupMappingsEndpointDocs/deleteExternalGroupMappingUsingName/response-fields.md') %>

| Error Code | Description                                                                |
|------------|----------------------------------------------------------------------------|
| 403        | Forbidden - Insufficient scope                                             |
| 404        | Not Found - No such group display name, external group, origin combination |

### List

<%= render('ScimExternalGroupMappingsEndpointDocs/listExternalGroupMapping/curl-request.md') %>
<%= render('ScimExternalGroupMappingsEndpointDocs/listExternalGroupMapping/http-request.md') %>
<%= render('ScimExternalGroupMappingsEndpointDocs/listExternalGroupMapping/http-response.md') %>

_Request Headers_

<%= render('ScimExternalGroupMappingsEndpointDocs/listExternalGroupMapping/request-headers.md') %>

_Response Fields_

<%= render('ScimExternalGroupMappingsEndpointDocs/listExternalGroupMapping/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 400        | Bad Request - Invalid request parameters                              |
| 403        | Forbidden - Insufficient scope                                        |


# Clients

## Create

<%= render('ClientAdminEndpointDocs/createClient/curl-request.md') %>
<%= render('ClientAdminEndpointDocs/createClient/http-request.md') %>
<%= render('ClientAdminEndpointDocs/createClient/http-response.md') %>

_Request Headers_

<%= render('ClientAdminEndpointDocs/createClient/request-headers.md') %>

_Request Fields_

<%= render('ClientAdminEndpointDocs/createClient/request-fields.md') %>

_Response Fields_

<%= render('ClientAdminEndpointDocs/createClient/response-fields.md') %>

## Retrieve

<%= render('ClientAdminEndpointDocs/retrieveClient/curl-request.md') %>
<%= render('ClientAdminEndpointDocs/retrieveClient/http-request.md') %>
<%= render('ClientAdminEndpointDocs/retrieveClient/http-response.md') %>

_Path Parameters_

<%= render('ClientAdminEndpointDocs/retrieveClient/path-parameters.md') %>

_Request Headers_

<%= render('ClientAdminEndpointDocs/retrieveClient/request-headers.md') %>

_Response Fields_

<%= render('ClientAdminEndpointDocs/retrieveClient/response-fields.md') %>

## Update

<%= render('ClientAdminEndpointDocs/updateClient/curl-request.md') %>
<%= render('ClientAdminEndpointDocs/updateClient/http-request.md') %>
<%= render('ClientAdminEndpointDocs/updateClient/http-response.md') %>

_Path Parameters_

<%= render('ClientAdminEndpointDocs/updateClient/path-parameters.md') %>

_Request Headers_

<%= render('ClientAdminEndpointDocs/updateClient/request-headers.md') %>

_Request Fields_

<%= render('ClientAdminEndpointDocs/updateClient/request-fields.md') %>

_Response Fields_

<%= render('ClientAdminEndpointDocs/updateClient/response-fields.md') %>

## Delete

<%= render('ClientAdminEndpointDocs/deleteClient/curl-request.md') %>
<%= render('ClientAdminEndpointDocs/deleteClient/http-request.md') %>
<%= render('ClientAdminEndpointDocs/deleteClient/http-response.md') %>

_Path Parameters_

<%= render('ClientAdminEndpointDocs/deleteClient/path-parameters.md') %>

_Request Headers_

<%= render('ClientAdminEndpointDocs/deleteClient/request-headers.md') %>

_Response Fields_

<%= render('ClientAdminEndpointDocs/deleteClient/response-fields.md') %>

## Change Secret

<%= render('ClientAdminEndpointDocs/changeClientSecret/curl-request.md') %>
<%= render('ClientAdminEndpointDocs/changeClientSecret/http-request.md') %>
<%= render('ClientAdminEndpointDocs/changeClientSecret/http-response.md') %>

_Path Parameters_

<%= render('ClientAdminEndpointDocs/changeClientSecret/path-parameters.md') %>

_Request Headers_

<%= render('ClientAdminEndpointDocs/changeClientSecret/request-headers.md') %>

_Request Fields_

<%= render('ClientAdminEndpointDocs/changeClientSecret/request-fields.md') %>

## List

<%= render('ClientAdminEndpointDocs/listClients/curl-request.md') %>
<%= render('ClientAdminEndpointDocs/listClients/http-request.md') %>
<%= render('ClientAdminEndpointDocs/listClients/http-response.md') %>

_Request Headers_

<%= render('ClientAdminEndpointDocs/listClients/request-headers.md') %>

_Request Parameters_

<%= render('ClientAdminEndpointDocs/listClients/request-parameters.md') %>

_Response Fields_

<%= render('ClientAdminEndpointDocs/listClients/response-fields.md') %>

## Batch Create

<%= render('ClientAdminEndpointDocs/createClientTx/curl-request.md') %>
<%= render('ClientAdminEndpointDocs/createClientTx/http-request.md') %>
<%= render('ClientAdminEndpointDocs/createClientTx/http-response.md') %>

_Request Headers_

<%= render('ClientAdminEndpointDocs/createClientTx/request-headers.md') %>

_Request Fields_

<%= render('ClientAdminEndpointDocs/createClientTx/request-fields.md') %>

_Response Fields_

<%= render('ClientAdminEndpointDocs/createClientTx/response-fields.md') %>

## Batch Update

<%= render('ClientAdminEndpointDocs/updateClientTx/curl-request.md') %>
<%= render('ClientAdminEndpointDocs/updateClientTx/http-request.md') %>
<%= render('ClientAdminEndpointDocs/updateClientTx/http-response.md') %>

_Request Headers_

<%= render('ClientAdminEndpointDocs/updateClientTx/request-headers.md') %>

_Request Fields_

<%= render('ClientAdminEndpointDocs/updateClientTx/request-fields.md') %>

_Response Fields_

<%= render('ClientAdminEndpointDocs/updateClientTx/response-fields.md') %>

## Batch Secret Change

<%= render('ClientAdminEndpointDocs/secretClientTx/curl-request.md') %>
<%= render('ClientAdminEndpointDocs/secretClientTx/http-request.md') %>
<%= render('ClientAdminEndpointDocs/secretClientTx/http-response.md') %>

_Request Headers_

<%= render('ClientAdminEndpointDocs/secretClientTx/request-headers.md') %>

_Request Fields_

<%= render('ClientAdminEndpointDocs/secretClientTx/request-fields.md') %>

_Response Fields_

<%= render('ClientAdminEndpointDocs/secretClientTx/response-fields.md') %>

## Mixed Actions

<%= render('ClientAdminEndpointDocs/modifyClientTx/curl-request.md') %>
<%= render('ClientAdminEndpointDocs/modifyClientTx/http-request.md') %>
<%= render('ClientAdminEndpointDocs/modifyClientTx/http-response.md') %>

_Request Headers_

<%= render('ClientAdminEndpointDocs/modifyClientTx/request-headers.md') %>

_Request Fields_

<%= render('ClientAdminEndpointDocs/modifyClientTx/request-fields.md') %>

_Response Fields_

<%= render('ClientAdminEndpointDocs/modifyClientTx/response-fields.md') %>

## Batch Delete

<%= render('ClientAdminEndpointDocs/deleteClientTx/curl-request.md') %>
<%= render('ClientAdminEndpointDocs/deleteClientTx/http-request.md') %>
<%= render('ClientAdminEndpointDocs/deleteClientTx/http-response.md') %>

_Request Headers_

<%= render('ClientAdminEndpointDocs/deleteClientTx/request-headers.md') %>

_Request Fields_

<%= render('ClientAdminEndpointDocs/deleteClientTx/request-fields.md') %>

_Response Fields_

<%= render('ClientAdminEndpointDocs/deleteClientTx/response-fields.md') %>

## Metadata

### Retrieve

<%= render('ClientMetadataAdminEndpointDocs/getClientMetadata/curl-request.md') %>
<%= render('ClientMetadataAdminEndpointDocs/getClientMetadata/http-request.md') %>
<%= render('ClientMetadataAdminEndpointDocs/getClientMetadata/http-response.md') %>

_Path Parameters_

<%= render('ClientMetadataAdminEndpointDocs/getClientMetadata/path-parameters.md') %>

_Request Headers_

<%= render('ClientMetadataAdminEndpointDocs/getClientMetadata/request-headers.md') %>

_Response Fields_

<%= render('ClientMetadataAdminEndpointDocs/getClientMetadata/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 404        | Not Found - clientId doesn't exists                                   |

### List

<%= render('ClientMetadataAdminEndpointDocs/getAllClientMetadata/curl-request.md') %>
<%= render('ClientMetadataAdminEndpointDocs/getAllClientMetadata/http-request.md') %>
<%= render('ClientMetadataAdminEndpointDocs/getAllClientMetadata/http-response.md') %>

_Request Headers_

<%= render('ClientMetadataAdminEndpointDocs/getAllClientMetadata/request-headers.md') %>

_Response Fields_

<%= render('ClientMetadataAdminEndpointDocs/getAllClientMetadata/response-fields.md') %>

### Update

<%= render('ClientMetadataAdminEndpointDocs/updateClientMetadata/curl-request.md') %>
<%= render('ClientMetadataAdminEndpointDocs/updateClientMetadata/http-request.md') %>
<%= render('ClientMetadataAdminEndpointDocs/updateClientMetadata/http-response.md') %>

_Request Headers_

<%= render('ClientMetadataAdminEndpointDocs/updateClientMetadata/request-headers.md') %>

_Response Fields_

<%= render('ClientMetadataAdminEndpointDocs/updateClientMetadata/response-fields.md') %>

| Error Code | Description                                                           |
|------------|-----------------------------------------------------------------------|
| 404        | Not Found - clientId doesn't exists                                   |
| 400        | Bad Request                                                           |

# Server Information

The UAA provides several endpoints to describe the server as well as handle various login tasks.

## Server Information

This endpoint has two identical endpoints

  1. /info
  2. /login

Both return the same result and both support both JSON and HTML output.
The HTML output is intended for browser user agents to display a login page.

<%= render('LoginInfoEndpointDocs/info_endpoint_for_json/curl-request.md') %>
<%= render('LoginInfoEndpointDocs/info_endpoint_for_json/http-request.md') %>
<%= render('LoginInfoEndpointDocs/info_endpoint_for_json/http-response.md') %>

_Request Headers_

<%= render('LoginInfoEndpointDocs/info_endpoint_for_json/request-headers.md') %>

_Request Parameters_

<%= render('LoginInfoEndpointDocs/info_endpoint_for_json/request-parameters.md') %>

_Response Fields_

<%= render('LoginInfoEndpointDocs/info_endpoint_for_json/response-fields.md') %>

## Passcode

A user that has been authenticated, can request a one time authentication code, pass code, to be used during a
token password grant. Password grants are often used in non browser environments, and authenticating a user with SAML,
 may be difficult.

<%= render('LoginInfoEndpointDocs/passcode_request/curl-request.md') %>
<%= render('LoginInfoEndpointDocs/passcode_request/http-request.md') %>
<%= render('LoginInfoEndpointDocs/passcode_request/http-response.md') %>

_Request Headers_

<%= render('LoginInfoEndpointDocs/passcode_request/request-headers.md') %>

## Auto Login

### Get authentication code

Similar to /passcode, the difference with an autologin authentication code, is that the authentication of the user takes place
during the generation of the temporary authentication code.
The autologin authentication code can be used to log the user in with an HTTP redirect. The UAA will establish an authenticated
server side session and expire the code. To generate the temporary authentication code, a POST against /autologin is required.

<%= render('LoginInfoEndpointDocs/generate_auto_login_code/curl-request.md') %>
<%= render('LoginInfoEndpointDocs/generate_auto_login_code/http-request.md') %>
<%= render('LoginInfoEndpointDocs/generate_auto_login_code/http-response.md') %>

_Request Headers_

<%= render('LoginInfoEndpointDocs/generate_auto_login_code/request-headers.md') %>

_Request Body_

<%= render('LoginInfoEndpointDocs/generate_auto_login_code/request-fields.md') %>

_Response Body_

<%= render('LoginInfoEndpointDocs/generate_auto_login_code/response-fields.md') %>

### Perform Login

To exchange the code for an authenticated session, simply issue a redirect to /autologin using the code and client_id.
If successful the user will be redirected to the home page, unless the user had tried to access a protected URL
and the UAA remembers the URL that was accessed.

<%= render('LoginInfoEndpointDocs/perform_auto_login/curl-request.md') %>
<%= render('LoginInfoEndpointDocs/perform_auto_login/http-request.md') %>
<%= render('LoginInfoEndpointDocs/perform_auto_login/http-response.md') %>

_Request Parameters_

<%= render('LoginInfoEndpointDocs/perform_auto_login/request-parameters.md') %>

# External Login Server

The UAA provides endpoints that facilitate the use of an external login server. A server that handles the UI
for browser based actions.

## Change Password Flow

### Request Reset Password Code

This endpoint returns an onetime code that can be used to change a user's password.
The actual password change can take place by invoking an API endpoint, `/password_change`, or by a UI flow through
the `/reset_password` endpoint.

<%= render('PasswordEndpointDocs/document_password_reset/curl-request.md') %>
<%= render('PasswordEndpointDocs/document_password_reset/http-request.md') %>
<%= render('PasswordEndpointDocs/document_password_reset/http-response.md') %>

_Request Headers_

<%= render('PasswordEndpointDocs/document_password_reset/request-headers.md') %>

_Request Parameters_

<%= render('PasswordEndpointDocs/document_password_reset/request-parameters.md') %>

_Request Body_

The required request body of this request is the user's username, typically an email address, in form of a JSON string.<br/>

_Response Body_

<%= render('PasswordEndpointDocs/document_password_reset/response-fields.md') %>
